FortiGuard Web Filtering Service
FortiGuard Web Filter is a managed web filtering solution available by subscription from Fortinet. FortiGuard Web Filter enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filter Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface.
FortiGuard Web Filter includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.
FortiGuard Web Filter ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filter Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.
Before you begin to use the FortiGuard Web Filter options you should verify that you have a valid subscription to the service for your FortiGate firewall.
FortiGuard Web Filter and your FortiGate unit
When FortiGuard Web Filter is enabled in a web filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.
FortiGuard Web Filter Actions
The Possible Actions are:
- Allow permits access to the sites within the category.
- Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.
- Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
- Warning presents the user with a message, allowing them to continue if they choose.
- Authenticate requires a user authenticate with the FortiGate unit before being allowed access to the category or category group.
- Disable prevents that category, and all sub-categories, from inspection. This permits access to the sites within the category.
The choices of actions available will depend on the mode of inspection.
- Proxy – Allow, Block, Monitor, Warning, Authenticate and Disable.
- Flow-based – Allow, Block & Monitor.
- DNS – Allow, Block & Monitor.
FortiGuard Web Filtering categories
The following tables identify each web filtering category (organized by group) along with associated category IDs. For a complete description of each web filtering category, visit http://www.fortiguard.com/webfilter.
Potentially Liable
ID | Category | ID | Category | |
1 |
Drug Abuse |
12 |
Extremist Groups |
|
3 |
Hacking |
59 |
Proxy Avoidance |
|
4 |
Illegal or Unethical |
62 |
Plagiarism |
|
5 |
Discrimination |
83 |
Child Abuse |
|
6 |
Explicit Violence |
|||
Adult/Mature Content |
||||
ID | Category | ID | Category | |
2 |
Alternative Beliefs |
16 |
Weapons (Sales) |
|
7 |
Abortion |
57 |
Marijuana |
|
8 |
Other Adult Materials |
63 |
Sex Education |
|
9 |
Advocacy Organizations |
64 |
Alcohol |
|
11 |
Gambling |
65 |
Tobacco |
|
13 |
Nudity and Risque |
66 |
Lingerie and Swimsuit |
|
14 |
Pornography |
67 |
Sports Hunting and War Games |
|
15 |
Dating |
|||
Bandwidth Consuming |
||||
ID | Category | ID | Category | |
19 |
Freeware and Software Downloads |
72 |
Peer-to-peer File Sharing |
|
24 |
File Sharing and Storage |
75 |
Internet Radio and TV |
|
25 |
Streaming Media and Download |
76 |
Internet Telephony |
Security Risk
ID | Category | ID | Category | |
26 |
Malicious Websites |
86 |
Spam URLs |
|
61 |
Phishing |
88 |
Dynamic DNS |
|
General Interest – Personal |
||||
ID | Category | ID | Category | |
17 |
Advertising |
47 |
Travel |
|
18 |
Brokerage and Trading |
48 |
Personal Vehicles |
|
20 |
Games |
54 |
Dynamic Content |
|
23 |
Web-based Email |
55 |
Meaningless Content |
|
28 |
Entertainment |
58 |
Folklore |
|
29 |
Arts and Culture |
68 |
Web Chat |
|
30 |
Education |
69 |
Instant Messaging |
|
33 |
Health and Wellness |
70 |
Newsgroups and Message Boards |
|
34 |
Job Search |
71 |
Digital Postcards |
|
35 |
Medicine |
77 |
Child Education |
|
36 |
News and Media |
78 |
Real Estate |
|
37 |
Social Networking |
79 |
Restaurant and Dining |
|
38 |
Political Organizations |
80 |
Personal Websites and Blogs |
|
39 |
Reference |
82 |
Content Servers |
|
40 |
Global Religion |
85 |
Domain Parking |
|
42 |
Shopping |
87 |
Personal Privacy |
|
44 |
Society and Lifestyles |
89 |
Auction |
|
46 |
Sports |
General Interest – Business
ID | Category | ID | Category | |
31 |
Finance and Banking |
52 |
Information Technology |
|
41 |
Search Engines and Portals |
53 |
Armed Forces |
|
43 |
General Organizations |
56 |
Web Hosting |
|
49 |
Business |
81 |
Secure Websites |
|
50 |
Information and Computer Security |
84 |
Web-based Applications |
|
51 |
Government and Legal Organizations |
FortiGuard Web Filter usage quotas
In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily timed access quota by category, category group, or classification. Quotas allow access for a specified length of time, calculated separately for each user. Quotas are reset every day at midnight.
Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.
The use of FortiGuard Web Filter quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authen- tication is not required.
Editing the web filter profile resets the quota timers for all users.
When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.
Quota hierarchy
You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.
When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:
1. Category
2. Category group
I need to access to a category that has been blocked what should I do
You can configure it to allow the override function and you can use an override account to get past it.